×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Australia's Mandatory Data Breach Notification Bill Revealed

samzenpus posted about a year ago | from the just-so-you-know dept.

Australia 40

mask.of.sanity writes "Australia's plans for a data breach notification scheme have been revealed which will force organizations to report serious breaches to affected victims. The plans, which are still in a draft form, show that the country's privacy commissioner could force businesses to inform press if the breaches are bad enough, pursue fines of up to $1.7 million for organizations that are repeatedly breached and force businesses to adopt stronger security controls."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

40 comments

Once more (-1, Troll)

ozduo (2043408) | about a year ago | (#43605275)

Into the breach dear friends!

Re:Once more (0)

Dexter Herbivore (1322345) | about a year ago | (#43606679)

Parent has been modded troll? It wasn't OT, it wasn't a "frist post" although it did lack meaningful content... but most jokes or attempts at them do. I'm surprised by the modding on this occasion.

Good plan. (5, Insightful)

Mitreya (579078) | about a year ago | (#43605299)

I know I am restating the obvious, but I find it interesting how no one is ever responsible for the security breach...
Just got a note from LivingSocial -- they inform me of the fact and tell me to reset my password. Almost like this is a force of nature event and not a screw up on their part for having been breached. Perhaps at least repeat offenders should be held responsible?

Re:Good plan. (-1)

Anonymous Coward | about a year ago | (#43605401)

I think that it's a woman's fault for being raped. If she hadn't been flaunting her body, weak-willed men wouldn't have taken advantage of her holes. It's especially bad when the woman gets "raped" several times. She needs to be locked away until either her cocklust is cured or her shame about her need to have a huge slab of man meat in her ass is gone.

Re:Good plan. (1)

Agent ME (1411269) | about a year ago | (#43605747)

I think a better analogy would be someone falling for a scam. Is it the victim's fault the 4th time they've sent $10,000 to a Nigerian prince?

Re:Good plan. (3, Insightful)

Cryacin (657549) | about a year ago | (#43606071)

Let's put all of the strawmen arguments aside. What we are talking about is a situation where there is an advised duty of care, with something that is valuable to us to be kept secret. The provision of our information. This is more analogous to a bank. There is an implied expectation of security when we put money into its security box, that only we can access it.

Imagine if you had the expectation of your secure documents being in a bank vault, with limited access, multiple keys, so that bank employees can't just access your goods etc is in place. Instead, you have a set of shoe boxes, stored in a garden shed with a screen door flapping in the breeze.

If a bank heist happens, and your documents are stolen, and the bank has done everything that they can do, then the breach should not be punished, if, however, a second heist occurs, and the bank has fallen for the same trap again, you would think that the bank should be held accountable, no?

Re:Good plan. (1)

AmiMoJo (196126) | about a year ago | (#43607237)

This is more analogous to a bank.

In that case maybe companies that handle private data should be required to insure themselves like banks do. If a bank gets robbed the customers don't lose their money, there is a fund that all banks pay in to which covers it.

Re:Good plan. (1)

davester666 (731373) | about a year ago | (#43606973)

Yes.

But jokes aside, this kind of legislation needs a different kind of 'maximum' fine. Something along the lines of "X percent of your revenue" [not in-country profit, as that is gamed to get to zero by the big companies].

Re:Good plan. (2)

c0lo (1497653) | about a year ago | (#43605771)

I know I am restating the obvious, but I find it interesting how no one is ever responsible for the security breach...

Once the lack of adequate security will start hurting enough the operators of the breach-able system, they'll start acting very responsible (and responsive) instead of sweeping the dust under the carpet.

"Anti-hacking" laws are cost externalization, as they allow the operators to relax on the security side, on the expense of tax-payers (who pay for the policing, investigations, suits and possibly the sustenance of an offender in jail). Mind you, as a tax payer, you get to pay those cost even if you aren't using the un-secured system.

Re:Good plan. (2)

Dexter Herbivore (1322345) | about a year ago | (#43606685)

From the summary "...pursue fines of up to $1.7 million for organizations that are repeatedly breached...", this act covers that eventuality.

Reasonable Steps (2)

Zaelath (2588189) | about a year ago | (#43605301)

I know summaries are meant to be hyperbolic, but given you only have to take "reasonable steps" to secure customer data, there's not going to be too many $1.7 million repeat-offender fines meted out.

Re:Reasonable Steps (2)

Mitreya (579078) | about a year ago | (#43605321)

given you only have to take "reasonable steps" to secure customer data, there's not going to be too many $1.7 million repeat-offender fines meted out.

You also need higher penalties for not reporting the breach.

Or Australians will simply never hear about any data losses ever again...

Re:Reasonable Steps (0)

Anonymous Coward | about a year ago | (#43607133)

Australia is a small country (population wise), their are not many consumer companies here that would consider $1.7 million a small fine compared to the revenue they make. still I think it should be cripplingly higher as while their a valid excuses for suffering a security breach there are no excuses for not following notification requirements.

Re:Reasonable Steps (1)

Electricity Likes Me (1098643) | about a year ago | (#43613629)

given you only have to take "reasonable steps" to secure customer data, there's not going to be too many $1.7 million repeat-offender fines meted out.

You also need higher penalties for not reporting the breach.

Or Australians will simply never hear about any data losses ever again...

The point of the law is to shutdown the "notified of security flaw, did nothing" issue which shows up on /. repeatedly often in relation to things like banks.

You notify the company, if they do nothing you notify the government, who in turn now have the power to fine the company if they get breached. Cue companies actually reacting to security-flaw notifications rather then ignoring them till something happens.

Re:Reasonable Steps (1)

AHuxley (892839) | about a year ago | (#43605553)

Just thinking about very basic random issues in Australia:
I would expect a person in charge to be listed, a 24/7 contact on call, a person with the task to look after data given the size of the fines.
Some attempt to understand version drift, major exploits by staff and shown to be mapped out/some attempt to be blocked.
Upgrading to or using some "good" password-based key derivation function.
Making sure any common MS infection in ~admin staff areas does not get to move data out in bulk.
Making sure data cannot be shared on "any" web browser with the 'one' correct 'vaild for many many weeks' password.
Police checks and background interviews for cleared staff are still valid.
Sadly many Australian systems are turn key software that just works for 2-5-10 years.
If something goes wrong with the frozen in time backend turn key software over the years, they dump in new turn key hardware.

The most surprising thing (4, Insightful)

icebike (68054) | about a year ago | (#43605309)

The most surprising thing is that Australia has a Privacy Commissioner.
From what I read in the press that is the exact opposite of what I would expect from that government.

Re:The most surprising thing (1)

Bremic (2703997) | about a year ago | (#43605713)

This is especially true as the current version of the tax software that pretty much everyone has to use to submit their End of Financial Year tax data only works with Internet Explorer, and has troubles with IE 8+.

As I don't have a machine capable of running IE 6-8 I spoke to an accountant, who told me they collect the data and submit it using IE 7.

I looked, and it is all submitted using http (not https), so there is absolutely no concern about even the minimum amount of security on peoples TAX data. This includes everything from income, dependants, name, address, TFN, phone contacts... the lot. All submitted using http in IE.

Fun times people. Fun times.

Re:The most surprising thing (0)

Anonymous Coward | about a year ago | (#43605963)

This is absolute bull shit. There are a number of submission methods possible and I have never run into issues filing tax returns using Firefox or the Windows application in Linux (WINE).

Re:The most surprising thing (0)

Anonymous Coward | about a year ago | (#43606393)

What application are you talking about? The most widely used one is surely the ATO's e-Tax application which is a Windows-only application, and it doesn't use Internet Explorer anywhere that I've seen.

Re:The most surprising thing (0)

Anonymous Coward | about a year ago | (#43607271)

... it is all submitted using http ....

When on-line tax returns first appeared, one had to get a session certificate first. That disappeared and now I hope the e-tax software does the encryption.

Re:The most surprising thing (1)

Electricity Likes Me (1098643) | about a year ago | (#43613663)

... it is all submitted using http ....

When on-line tax returns first appeared, one had to get a session certificate first. That disappeared and now I hope the e-tax software does the encryption.

HTTP submission is pretty common, since it's structurally easier to manage then SSL. You just use RSA encrypted payloads instead.

Re:The most surprising thing (1)

chihowa (366380) | about a year ago | (#43606289)

The most surprising thing is that Australia has a Privacy Commissioner.
From what I read in the press that is the exact opposite of what I would expect from that government.

Maybe it's like the Drug Czar in the US. I used to think that job sounded awesome when I was a teenager.

Re:The most surprising thing (1)

Anonymous Coward | about a year ago | (#43607223)

I know Slashdot has mentioned Australia's proposed internet filter, proposed legal snooping of all telecommunications, etc... Every government has people who suggest stupid things. They don't actually get implemented, and Australia isn't actually an Orwellian dictatorship or anything.

Re:The most surprising thing (1)

sd4f (1891894) | about a year ago | (#43608075)

It's a bread and circus er ship, whatever you call that. We have some world leading corrupt parliamentarians.

What a load of hooie (4, Insightful)

OhANameWhatName (2688401) | about a year ago | (#43605347)

It appears to take a conservative approach in its demand for data breaches to be reported, with only classifications of serious data breaches considered

Australian privacy regulations are a total joke. The privacy commissioner is a bureaucrat with no power. Businesses take, steal, trade, share, sell and harvest personal details willy nilly and there's no oversight or punishment whatsoever. How do they accomplish this? They set up shell companies which they use to harvest, trade and purchase personal data then shut down the companies after they've 'purchased' the data from them. "No Mr privacy commissioner, it wasn't us. It was company ABC which unfortunately .. is now a defunct corporation so there's no way to know how they got those private details. But before they closed up business in the floor below us, they assured us that everything was perfectly legal. Honest to goodness sir, there's simply nothing we can do!"

Privacy isn't even a remotely important priority. Anything that's raised as a bill is going to be full of loopholes like swiss cheese, because the political representatives in Australia include people with (how shall I put this gently) .. 'ties' to large marketing companies. Banks track purchases for the police (with no oversite or warrant), personal details are sold straight out of ATO records, supermarkets track every single purchase a person makes throughout their lives trading this to whomever they consider a 'business partner' and the consumer (if they manage to discover a company has their details) doesn't even have the right to have those details removed from the company's database.

BTW .. the content in this post is not assumption or guess work, I've personally experienced everything listed here.

weird that this isn't already the case (3, Insightful)

Trepidity (597) | about a year ago | (#43605443)

I'm not sure what black-magic software companies and webservice providers incanted to manage to exempt themselves from traditional product-liability law. If you sell a widget and your design was shit in a way that causes monetary damages, traditionally you are liable. If you sell a widget and your design sucks so bad that it doesn't even work (even without causing real damages), then people are at least entitled to a refund. But software somehow avoids this: your design can be buggy as hell and somehow you are not liable for shipping a shit product that didn't fulfill its advertised purpose and may have actually actively harmed people.

This bill seems to just take one small step towards restoring some minimal degree of responsibility for your product.

Re:weird that this isn't already the case (-1)

Anonymous Coward | about a year ago | (#43605525)

Or why not leave it to the market to decide? This is one of those things where you're responsible for your own privacy. Making any assumption that your information is secure and safe is a mistake. If Facebook gets hacked, and loses your personal information, the crime was against Facebook. It doesn't matter if they wrapped tinfoil around their servers, or had real security measures in place... you signed up, chose to use their product without any real knowledge or guarantees. You have no legal rights to speak of if they screw everything up. It was your choice, informed or ignorant, to give them your information.

It was your choice to use a service that has no guarantee of privacy.

Now if the registration and signup process included a contract in which you agreed to provide your information, and they in turn agreed to protect it, you then have a legal leg to stand on. There are no such guarantees in place for most websites these days. The ones that do will likely get shafted by lawsuits when they inevitably have a breach.

The only thing laws like this do is give politicians faux credibility and make life more difficult for people in the real world.

Re:weird that this isn't already the case (2)

Trepidity (597) | about a year ago | (#43605613)

"Why not leave it to the market to decide?" is one of those Poe's Law sort of questions.

Re:weird that this isn't already the case (1)

mark-t (151149) | about a year ago | (#43605621)

Not a bad idea... but I can think of four immediately obvious cases where I can see managing privacy not being entirely in one's own hands:
  1. Their employer.
  2. Their medical health professional.
  3. Their school
  4. And their government.

Re:weird that this isn't already the case (1)

Guinness Beaumont (2901413) | about a year ago | (#43605679)

Most issues with software are PEBKAC; that's why. There's a reason that checklists in tech support take care of 80% of calls.

Re:weird that this isn't already the case (1)

Trepidity (597) | about a year ago | (#43605797)

Even accounting for that, though, software providers get away with providing stuff that really is catastrophically buggy, without incurring liability, on the basis of some shrinkwrap EULAs that wouldn't fly in any other field.

Re:weird that this isn't already the case (0)

Anonymous Coward | about a year ago | (#43605867)

Ah - but that EULA is why you never really bought anything but the right to use the buggy product in the first place. Your right to use wasn't bad - what you had the right to use was, and there was no guarantee on that.

Re:weird that this isn't already the case (2)

Trepidity (597) | about a year ago | (#43605923)

So can I sell you some chicken with an EULA which covers me from liability in the event that the chicken actually contains high levels of Salmonella? No, I can't.

Re:weird that this isn't already the case (1)

Guinness Beaumont (2901413) | about a year ago | (#43619681)

But you can. Go order a rare steak -- you'll be reminded that raw meat is raw, and that's a EULA in form of legal waiver.

Re:weird that this isn't already the case (1)

Anonymous Coward | about a year ago | (#43607465)

Most issues with software are PEBKAC; that's why. There's a reason that checklists in tech support take care of 80% of calls.

No, PEBKAC is usually an excuse mediocre programmers use to cover up their own inadequacies. A checklist is a way of covering common problems. Why is that problem common?

Software is a tool that is supposedly designed for users and if the target audience are unable to use that tool quickly and efficiently with a minimum of fuss then it's the fault of the tool designer and nobody else. Mediocre programmers often expect their users to be mind readers, robots and/or have time to waste.

Missed a word (0)

Anonymous Coward | about a year ago | (#43605937)

I misread the title. The meaning is quite different with the word "Bill" removed.

$1.7 million? (1)

Alex Belits (437) | about a year ago | (#43606435)

fines of up to $1.7 million

or all change in the CEO's pocket, whatever is greater?

Re:$1.7 million? (1)

smash (1351) | about a year ago | (#43606533)

They're aussie dollars, so by the time the law is ratified it will likely be the equivalent of about 100 million $us.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...